Doesn't sound good...
...considering at work a few months back we got sent a phishing email. Oh look, its spoofing an NHS.net email account. Check the headers. OK, that's interesting, its not spoofed. The return address is valid. So someone has broken into an NHS.net account and using it to send phishing info. Nice. Why don't they have 2fa on? Unless their device was compromised as well.
I reported to nhs.net. Never did get a reply. Rude.